Apache HTTP Server: mod_proxy_uwsgi HTTP response splitting
CVE-2023-27522

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Http Server
Vendor: CVE Published:; 7 March 2023

What is CVE-2023-27522?

An HTTP Response Smuggling vulnerability exists within the Apache HTTP Server, specifically when using the mod_proxy_uwsgi module. This issue allows attackers to manipulate the origin response header by using special characters, potentially resulting in the truncation or improper splitting of responses forwarded to clients. Versions affected include Apache HTTP Server from 2.4.30 to 2.4.55, posing a risk to the integrity of web transactions and communications.

Affected Version(s)

Apache HTTP Server 2.4.30 <= 2.4.55

References

https://httpd.apache.org/security/vulnerabilities_24.html

vendor-advisory

https://lists.debian.org/debian-lts-announce/2023/04/msg0...

https://security.gentoo.org/glsa/202309-01

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 7, 2023
Vulnerability Reserved
Mar 2, 2023

Credit

Dimas Fariski Setyawan Putra (nyxsorcerer)